How the FTC Regulates Reasonable Cybersecurity and Data Practices
When it comes to investigating company cybersecurity practices and protecting the privacy of consumers, there is no bigger government enforcer than the Federal Trade Commission (FTC). The FTC has authority under Section 5 of the Federal Trade Commission Act to investigate “unfair or deceptive acts or practices in or affecting commerce.” The FTC can investigate most businesses under this section, with the exception of nonprofit organizations and certain industries, such as federally regulated financial institutions and common carriers.
Over the years, the FTC has interpreted Section 5 to give them authority to investigate and bring enforcement actions against businesses that disclose personal information contrary to their publicly posted privacy policies and businesses that lose personal information entrusted to them by their customers because they did not have reasonable cybersecurity and other controls in place to protect such data. This interpretation was most recently affirmed in 2015 by the Federal Court of Appeals for the Third Circuit in a case concerning several cybersecurity attacks that resulted in a data breach of the Wyndham hotel network.
Currently, the FTC’s authority is being challenged in the Federal Court of Appeals for the Eleventh Circuit in the case LabMD, Inc. v. Federal Trade Commission. The FTC has alleged that LabMD was storing sensitive personal information insecurely. The case will turn on whether the FTC can bring enforcement actions for data practices where there is a significant risk of harm in potential unauthorized disclosures of consumer personal information, but no proof of actual injury to consumers. The court’s eventual decision in this case could have wide ranging implications for future FTC enforcement actions on cybersecurity practices.
It may be difficult for a business to determine what cybersecurity and data practices the FTC may or may not consider reasonable in the light of ever evolving technology and cyber treats. However, the FTC has publicly posted the information of all its enforcement actions and settlements on its website, which has formed a type of case law for reasonable cybersecurity practices. The FTC also has a number of relevant resources and articles posted on its websites that businesses can use in developing practices. The FTC also looks favorably on settled information security frameworks and practices, such as the NIST Cybersecurity Framework.